Ransomware recovery costs dwarf actual ransoms

Paid ransom is becoming an increasingly small element of the total cost of a ransomware attack to a victim organisation or body, with the latter outpacing the former sevenfold, according to data crunched by analysts at Check Point Research.

Check Point’s team analysed data held by cyber quantification specialist Kovrr in its incident database, and the contents of the recent Conti leaks, and concluded that the paid ransom – if a payment is even made – is dwarved by costs such as incident response, reputation management services, system and data restoration, legal fees and new security technology.

It also found that ransomware gangs tend to demand a sum congruent with the annual revenues of the victim, in a range generally set at between 0.7% and 5%. As a general rule, the lower the percentage demand, the higher the victim’s revenues will be as it still represent a higher monetary value.

“Noteworthy is the fact that for victims, the ‘collateral cost’ of ransomware is seven times more than the ransom they pay. Our message to the public is that building in advance proper cyber defences, especially a well-defined response plan to ransomware attacks, can save a lot of money for organisations,” said Sergey Shykevich, Check Point threat intelligence group manager.

“The key learning is that the paid ransom, which is the number most researches deal with, is not a key number in the ransomware ecosystem. Both cyber criminals and victims have many other financial aspects and considerations around the attack.”

This was borne out by some of the other findings in the research, which revealed that ransomware gangs have clear ground rules for a “successful” negotiation.

In the case of groups such as Conti, this includes making an accurate estimation of the victim’s financial posture and the existence of a cyber insurance policy, as well as the quality and importance of the data they have exfiltrated, and even the approach and interests of the victim’s negotiators. Conti in particular also considers its “good” reputation as very important to it, and factors this into its negotiations.

“It’s remarkable just how systematic these cyber criminals are in defining the ransom number and in the negotiation. Nothing is casual and everything is defined and planned according to factors that we’ve described,” said Shykevich.

The research also found that the duration of the average ransomware attack declined significantly over the course of 2021, down to nine days from 15 the previous year. Check Point believes this may be a consequence of organisations having established more appropriate response plans to mitigate the impact of ransomware attacks, after being caught off guard by the emergence of double extortion tactics in 2020, which is now commonplace.

Check Point said it was clear that the landscape of the so-called ransomware economy is constantly shifting as predators and prey race to gain an advantage – while many organisations have successfully adapted and improved their ransomware preparedness, the attack and negotiation process is also in flux, as the Conti leaks have shown.

Check Point’s data was broadly backed up in separate research released earlier this week by Sophos offered additional insight into the ransomware economy. Sophos established that the average ransom payment worldwide worked out at just under £650,000, with the total cost of recovery coming in at £1.12m over the first month post-breach – not as dramatic a disparity, but still substantial.

More concerning was one of the top-line findings of Sophos’ research, which suggested that a substantial number of ransomware victims who paid a ransom did so despite having the ability to restore encrypted data. This is likely a function of the rise of double extortion attacks, which mean that regardless of whether or not they can restore from backups, victims feel they have no choice but to pay to prevent their data from being leaked publicly or sold on.